Accessible/Open MongoDB NoSQL Server Scanning Project

If you are looking at this page, then more than likely, you noticed a scan coming from this server across your network and/or poking at your MongoDB Server service.

The Shadowserver Foundation is currently undertaking a project to search for publicly accessible devices that have a MongoDB NoSQL Server running. The goal of this project is to identify openly accessible systems that have MongoDB running and report them back to the network owners for remediation.

Authentication is available for MongoDB, however, we have found that in the majority of installations authentication is not enabled. Without authentication, the MongoDB instance can be completely accessed by anyone.

All MongoDB servers that we find to be accessible have been incorporated into our reports and are being reported on a daily basis.

Methodology

We are querying all computers with routable IPv4 addresses that are not firewalled from the internet on port 27017/tcp with the command "buildInfo" and capturing the response. A secondary test is then performed with the command "listDatabases". We intend no harm, but if we are causing problems, please contact us at gro [tod] revfooreswodahs [ta] nacbarssnd

Whitelisting

To be removed from this set of scanning you will need to send an email to dnsscan [at] shadowserver [dot] org with the specific CIDR's that you would like to have removed. You will have to be the verifiable owner of these CIDR's and be able to prove that fact. Any address space that is whitelisted will be publicly available here: https://mongodbscan.shadowserver.org/exclude.html